James R. Mirick sets the record straight on things he cares about

The New Landscape of Personal Internet Security

This is the second in a three part series on a highly revised approach to keeping yourself safe and sound when you’re on the Internet. (If you missed it, the first part is here). This is an entirely new approach, because the whole threat profile we face has been changing, and most of the recommendations passed out by presumed security gurus (including yours truly) are no longer appropriate or effective. This post is going to describe the current threat landscape so that my recommendations on protecting yourself will make a little more sense; those will be in Part 3.

OK then, what does it look like out there? There are lots of pressing threats, seemingly an infinite number and growing (if that’s possible!). But as we try to identify how we might best protect ourselves when we’re connected to the Internet, the actual number turns out to be much more manageable. Here’s a breakdown of the overall threat landscape, from the planetary to you, as I see it now. It includes:

Infrastructure threats, which target the basic routing and transport of content throughout the globe. This is not our problem, at least for this discussion, although it is an extremely serious problem for our government and the Internet’s managers.

Organization threats, those that aim at businesses, governments, or other entities, and which are mainly focused on network intrusion, data theft, site defacement, and operational disruption. I’m not dealing with those here, either.

Personal threats, what we care about here. These threats, at least the ones that you should worry about, can all be clumped into two main categories:

Attempts to steal account numbers, passwords, and other personal or family data from you by loading malicious hidden software onto your computer. In addition to enabling financial theft, this data might allow someone to impersonate you on the Internet and do things like post obscene messages in Facebook or put porn in your Flickr albums. Malicious software can also take your computer and make it a spam-spewing robot, or a participant in various kinds of attacks against organizations or even against the Internet’s infrastructure itself, and you don’t want to be a part of this, either.

Now, these are significant threats, of course, and you don’t want to be the one caught standing when the music stops. Just because these are high-order threats doesn’t mean that you can be excused to do nothing. On the contrary, you need to take some steps to avoid being victimized, but these steps can — surprisingly — be simpler than you might be thinking, or than what you’ve been told in the past. What is it that has changed over the last increment of time that modifies our approach to personal Internet security? Lots of things.

What’s Changed

First of all, the bad news is that the attacks are becoming vastly more sophisticated and therefore vastly more difficult to defend against. When I look at the technical dissection of typical first-line malware, I’m really impressed: these people really know what they’re doing. If you let one of these things into your machine, you’re gone. Attack software is exploiting vulnerabilities that the honest software vendors are hard-pressed to patch by the time the attacks start occurring. And once something gets into your computer, it’s essentially impossible to remove so your only recovery is a down-to-the-metal system restore. It’s really nasty.

However, at the same time we’ve learned how to cope with it, just as our immune system learns to cope with an infection, and just as (as a species) we and the infectious agents tend to co-evolve in ways that reduce the impact of a given infection, so that not all the hosts die! When national credit cards became popular, certain kinds of fraud became possible that weren’t possible when the merchant knew every customer face-to-face. So our financial system developed ways to deal iwth it — transaction limits, anti-fraud software triggers, merchant interventions, and most importantly, consistent rules for managing disputes and apportioning fraud liabilities. Thus, the worst of the threats are blunted, coping mechanisms are created, the losses are contained, and the benefits are achieved.

Lets consider for a moment identity theft. Five years ago this was almost unheard of. People who claimed identity theft were generally not believed, their credit was ruined, they were threatened with arrest, their assets were attached, and they worked for sometimes years to clear things up, all the time being abused by attorneys, police, and everyone else who just couldn’t believe this was real. What happens now? It’s a known and accepted risk, kind of like a fender-bender: nobody wants one, but they happen, and we all know what to do.

Now, if you are an identity theft victim, you call the police, fill out a form, send out the form to your banks and other merchants, get new credit cards, and so on. The average time to resolve an identity theft incident now is about 10 hours of your time, spread out over a couple of weeks. Like a fender-bender, not fun and worth avoiding, but fixable.

Same principle applies to electronic account access and transfers. Banks want people to use electronic transfers, it’s much cheaper than teller-assisted transactions or paper checks. So to standardize everything, the Federal Reserve Board issued Regulation E, which specifically states that it was issued “to protect consumers using electronic funds transfers.” Under the provisions of Reg E, it’s almost impossible for a consumer to be held responsible for the consequences of unauthorized electronic access to their accounts, the bank absorbs any unrecoverable losses. Based on the cost savings and customer satisfaction, they come out ahead even with these losses from time to time.

So . . .

So the net of all this is, although the direct attacks are increasingly cunning and vicious, even when they succeed they don’t impact the individual consumer as much as they used to. “We,” the society, have learned to cope with the resulting losses, keep the unlucky victims from being unduly penalized, and move on. And given this, the rules for keeping safe and sound on the Internet have changed, too, and actually simplified quite a bit. I’ll cover them in Part 3.

2 Responses

[…] security? Not at all! We still face threats that we CAN do something about, and we should. See my next post on What This Means. Possibly related posts: (automatically generated)How To Ensure The Server Is Secure Enough?Class […]